Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

U.S. Government Shutdown Leaves Dozens of .Gov Websites Vulnerable

As the shutdown continues into its 21st day, dozens of .gov websites haven’t renewed their TLS certificates.

As the U.S. federal shutdown continues, dozens of U.S. government websites have been rendered either insecure or inaccessible due to expired transport layer security (TLS) certificates that have not been renewed.

In fact, .gov websites are using more than 80 TLS certificates that have expired, according to a new Thursday report by Netcraft. That’s because funding for renewals has been paused. That opens the impacted sites to an array of cyber-attacks; most notably, man-in the-middle attacks, which allow bad actors to intercept exchanges between a user and a web application—either to eavesdrop or to impersonate the website and steal any data that the user may input.

Dozens of sites are impacted, which include sensitive government payment portals and remote access services for organizations like NASA, the U.S. Department of Justice and the Court of Appeals.

The security issue has raised alarms as the U.S. government continues to be crippled by a partial government shutdown, which as of Friday has been ongoing for 21 days. About 800,000 federal employees are furloughed or temporarily working without pay, and millions more government contractors have been told not to come to work.

Click to expand

“With Donald Trump seemingly unwilling to compromise on his demands for a wall along the border with Mexico, and Democrats refusing to approve a budget containing $5.7B for the wall, the hundreds of thousands of unpaid federal employees might not be the only ones hurting,” said Netcraft. “As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens.”

One impacted U.S. website, belonging to the Department of Justice, uses a certificate that expired in the week leading up the shutdown. According to Netcraft, the certificate was signed by trusted certificate authority GoDaddy – but it has not been renewed since it expired on December 17.

Another, the .gov website for Berkeley Lab, expired on January 8 and has not yet been replaced.

The issue has sparked concerns in the infosec space about how the sensitive government websites can be abused – and what other security issues are raised due to the shutdown.

“How many critical governmental systems are currently unmaintained, outdated and thus vulnerable? It seems to be a great opportunity for nation-state hacking groups to exploit U.S.’ momentary weakness to steal or alter extremely sensitive information,” High-Tech Bridge’s CEO Ilia Kolochenko said in an email.

HSTS Policies

Luckily, certain security measures were implemented before the shutdown that protects some .gov websites from cyber-attacks when their certificates have expired – but the downside is that those protected websites can no longer be accessed.

Click to expand

The security measure puts certain usdoj.gov domains and any subdomains that are on Chromium’s HSTS preload list, which is a list of sites hard-coded into Chrome as being HTTPS only. This security measure prevents users from visiting the HTTPS sites when they have an expired certificate.

However, not all sites implement the HSTS policies, and “consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass,” Netcraft said. While that means that the websites can at least be accessed, “this introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.”

Gov Shutdown’s Impact on Security

As the government shutdown continues, it has an array of impacts across the board when it comes to security.

Fortalice Solutions’ Theresa Payton, the former White House CIO, said that the shutdown has an array of implications for cybersecurity issues across the country, including short-staffing agencies that are working on cybersecurity, spooking cybersecurity professionals who might otherwise be interested in public service or government contracting, and interfering with timelines for contracts.

“Leaders and legislators on both sides of the aisle would do well to take an ‘all-of-the-above’ approach when it comes to this shutdown and our national security goals,” she told Threatpost.

Kolochenko meanwhile said that moving forward, an emergency plan needs to be developed to deal with continuing critical security measures even during a government shutdown.

“The situation… points to a continuity plan that is poorly implemented in some federal agencies: Critical cybersecurity tasks and processes have to be maintained even if financing is temporarily paused,” Kolochenko said. “Otherwise, the entire model of governmental cybersecurity is questionable, and people may reasonably inquire where do their taxes go.”

Discussion

Lindsy,
The story leaves the reader the impression that when an SSL cert expires the site stops been encrypted. That is inaccurate. Here is a quick explanation for clarity:
When SSL certificates expire, websites retain the certificates and the information in the certificates. However, everything the certificates verified for users is no longer valid. Although the data exchanged between servers and client computers continues to be encrypted, users can't trust that the encryption hasn't been compromised in some way. They can't tell whether organizations claiming to own domains are the true owners, and therefore cannot know for sure if a website is an official website or an imposter website.
Hope this clears up the issue.

Why would these government agencies even have waited until the last minute to do these certificate renewals? That seems like poor planning to me and is probably another example of the lackadaisical mindset on the part of government IT operations that leads to government agencies being so easily compromised. I'd be willing to bet that most of these .gov websites would still not have renewed certificates right now even if the funding was there.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.